Is it Time to Facilitate Cyberwar?

by Duncan Hollis

The New York Times (along with much of the mainstream media) has “rediscovered” cyberwar of late (see here, here, here, and here). Today’s story revives longstanding differences between Russian government proposals to regulate cyberwarfare by treaty versus existing U.S. preferences to place the issue in more informal law enforcement cooperation networks:

Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.

The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.

“We really believe it’s defense, defense, defense,” said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. “They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.”

That doesn’t seem consistent with earlier reports on the Administration’s position:

As Mr. Obama’s team quickly discovered, the Pentagon and the intelligence agencies both concluded in Mr. Bush’s last years in office that it would not be enough to simply build higher firewalls and better virus detectors or to restrict access to the federal government’s own computers.

“The fortress model simply will not work for cyber,” said one senior military officer who has been deeply engaged in the debate for several years. “Someone will always get in.”

Hmmm. I wonder which U.S. position will prevail here? As for my own views, I’m already well on the record in favor of an extended conversation among governments about how international law applies to military uses of cyberspace, whether in a defensive or offensive capacity. That said, I’m not sure a global treaty is the first, let alone the second, third, or fourth step in this process. We’ve still got a way to go for states to work out what the technology can do (i.e. what’s similar to kinetic weaponry and what can we now do that kinetic weaponry could never achieve), how anonymous this technology really is, and where its usage will give rise to the greatest concerns for states, their militaries, and civilian populations. Given the host of uncertainty and confusion now surrounding these issues, I think it makes more sense for regional groupings of states (e.g., NATO) or even non-governmental IHL experts to address these issues first, before trying to get every nation state onto the same page. And if there has to be a global conversation from the get go, I’d favor it producing political commitments rather than some grand scale treaty (my love for those instruments notwithstanding). As a result, I’m sympathetic to U.S. resistance to these Russian proposals.

On the other hand, the Administration’s stonewalling still confuses me. Is the U.S. refusing negotiations today for the same reason it did in 1998 — because it doesn’t agree with how the Russians propose to regulate cyberwarfare (i.e., by prohibiting or banning the technological means of cyberwarfare)? Would the United States accept proposals to discuss regulating cyberwar if the focus were on its effects (i.e., avoiding indiscriminate cyberattacks on civilians that produce casualties) or its targets (i.e., no cyberattacks on hospitals)? Or, has the Administration decided that it prefers no new regulation at all — i.e., that there is some comparative advantage for the United States in having no specific rules for cyberattacks? I’m assuming that no one in the Administration is arguing that without specific rules, no rules apply. IHL, other rules of public international law, and domestic legal systems do regulate any and all uses of cyberspace, even if they do so inefficiently and with lots of confusion. As a result, I’m hard pressed to see how any comparative advantage actually plays out for U.S. defenses against cyberwar under this status quo. Cyberattacks linked to states (as the aggressor or the victim) will trigger debates akin to what we’ve seen in the context of global terrorism–i.e., is a cyberattack always a crime, for which law enforcement is the only appropriate response? Or, are certain cyberattacks “armed attacks,” permitting the United States to respond militarily in self-defense? Or, can cyberattacks trigger both regimes simultaneously (with inevitable turf fights over which regime has priority). In the end, I fear that absent some understanding of what rules apply to cyberspace specifically, there’s a risk of unintended escalation in cyberconflicts where the United States and its adversary operate with different default presumptions about the appropriate regime (i.e. a Chinese cyberattack China views as falling short of an armed attack is treated by the United States as an armed attack, leading to a U.S. military response in self defense, followed by a Chinese response to what they view as an “illegal” U.S. use of force, etc., etc.).

Moreover, I worry that so much of the current conversation focuses on the threat of cyberwar. And, to be clear, I agree that there are a lot of threats presented by this topic. But, it’s important to remember that international rules don’t simply prohibit (or restrict) state conduct; they also simultaneously permit (or facilitate) state conduct. IHL doesn’t just prohibit certain weapons, it also implicitly legalizes the use of other weapons that are not prohibited (subject, of course, to additional restrictions on appropriate circumstances for deploying “legal” weaponry).

Thus, we should view cyberwarfare not solely as a topic for prohibition or restriction, but also, as something to permit or even facilitate in the right circumstances. Cyberwar is not just a threat; it’s also an opportunity. This new technology has the potential to supplant traditional means of conflict and the attendant death and destruction they cause. Might it make sense, for example, to have states agree that within an international armed conflict (or a non-international armed conflict for that matter) cyberoptions should take precedence over those employing kinetic weaponry when both would achieve the same (necessary) military objective? Simply put, don’t we want states to hack the power grid temporarily rather than blowing it (and its operators) up permanently? Would we ever want IHL to permit cyberattacks directly targeting civilian populations that cause some (but not great) harm to a lot of individuals instead of the alternative of attacking a military target that will produce great harm (i.e., death) to a few civilians as collateral damage?

Now, I’m not taking sides on these questions so much as suggesting that these are questions I’d like to see U.S. officials address publicly. And, whatever the Russians may suggest, I don’t think that it requires a treaty to do so. So, here’s hoping we see the United States at least agree to talk about these subjects in the weeks and months ahead even if we’re not going to see a cyberwar equivalent to this treaty any time soon.

March 1, 2015Guest Post: The Mirage of Hybrid Justice in Africa?[Patryk I. Labuda is a Ph.D. Candidate at the Graduate Institute of International and Development Studies in Geneva. Before joining the Geneva Academy of International Humanitarian Law and Human Rights, he worked in the Democratic Republic of Congo, ...

February 17, 2015The Absence of Practice Supporting the "Unwilling or Unable" Test
Regular readers of the blog know that one of my hobbyhorses is the "unwilling or unable" test for self-defense against non-state actors. As I have often pointed out, scholars seem much more enamored with the test than states. The newest (regrettable...